tag:blogger.com,1999:blog-5975524006824862804.post1195763849127901523..comments2014-11-28T17:04:01.955-08:00Comments on Paul's Pontifications: Why Making Software Companies Liable Will Not Improve SecurityPaul Johnsonhttp://www.blogger.com/profile/07353083601285449293noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-5975524006824862804.post-4661642381053327452008-07-24T06:13:00.000-07:002008-07-24T06:13:00.000-07:00Agree with this, though you could've leveraged the...Agree with this, though you could've leveraged the economics a bit harder. The fact is that in some domains, the users have a choice, and choose to buy insecure software at 1% of the price. <BR/><BR/>As for weavejester - sounds like standard healthcare development, where as your experience sounds not so much medical devices as a device intended for implantation.Grahamehttp://www.blogger.com/profile/08635283945076545993noreply@blogger.comtag:blogger.com,1999:blog-5975524006824862804.post-26807968384913005702007-08-14T11:36:00.000-07:002007-08-14T11:36:00.000-07:00weavejester: have you had real FDA inspections, or...weavejester: have you had real FDA inspections, or just customer audits?<BR/><BR/>Paul.Paul Johnsonhttp://www.blogger.com/profile/07353083601285449293noreply@blogger.comtag:blogger.com,1999:blog-5975524006824862804.post-90927905083660319232007-08-13T21:40:00.000-07:002007-08-13T21:40:00.000-07:00Software security will stay the same or get worse,...Software security will stay the same or get worse, and then be used as an excuse to bring in "Trusted Computing" which will be the end of freedom in computing.Jeffhttp://www.blogger.com/profile/11738801509230601446noreply@blogger.comtag:blogger.com,1999:blog-5975524006824862804.post-33274046715996162842007-08-13T17:04:00.000-07:002007-08-13T17:04:00.000-07:00Perhaps the regulations for building medical devic...Perhaps the regulations for building medical devices are more stringent than the regulation covering the gathering and storage of pharmaceutical data, but I have not seen anything near the difficulties you outline.<BR/><BR/>I help develop software to capture and record medical data in pharmaceutical trials, and have done for a couple of years now. Whilst this is a relatively short time, it is perhaps long enough to get some understanding of the regulatory processes governing software designed for medical use, at least as it pertains to software development.<BR/><BR/>A considerably greater proportion of effort goes into ensuring that data is stored correctly and safely than would with "normal" software. Detailed audit trails are a must, and the QC can become very involved and exact. However, it's been my experience that things aren't nearly as bad as you make out - complying with regulations and passing customer audits is not a feat of impossibility: we do it all the time.Weavejesterhttp://www.blogger.com/profile/15518934201255364120noreply@blogger.comtag:blogger.com,1999:blog-5975524006824862804.post-19468896820161373892007-08-13T11:20:00.000-07:002007-08-13T11:20:00.000-07:00i'd say that if software developers had to take ou...i'd say that if software developers had to take out insurance, perhaps different insurance companies would come up with different guidelines and best practices, and would get to the bottom of what worked well, because it was costing them more money.<BR/><BR/>having said that, i don't think mandatory liability makes any sort of sense. right now, users and software vendors are perfectly able to enter into consensual agreements specifying liability. the fact is, they don't, because it's really hard to warrant security of a whole system, and when you've got pieces interacting, now even the documentation has to be absolutely unambiguous, lest you create bugs in the interfaces.<BR/><BR/>really i think the solution is what's going on today. you use free (open source) software, which can be looked at my many eyeballs. this helps audit the software, but more importantly, makes any changes that happen under scrutiny. then you engineer the system so that even if one component fails, you don't have a breach.Anonymousnoreply@blogger.com